Update doc for #2250

2020-07-29 20:16:40 +02:00 · 2020-07-29 20:16:40 +02:00 · fde469b0e1
commit fde469b0e1
parent c6358d7587
4 changed files with 44 additions and 2 deletions
--- a/doc/sources/admin/authldap.rst
+++ b/doc/sources/admin/authldap.rst
@ -82,8 +82,11 @@ Connection
      ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
      also use cafile and capath parameters.

-  **Server port**: TCP port used by LDAP server. Can be overridden by
-   an LDAP URI in server host.
+-  **Server port**: TCP port used by LDAP server if different from the standard
+   ports. Can also be specified in the server host URI.
+-  **Verify LDAP server certificate**: It is highly recommended to verify the
+   identity of the remote server. This setting is only enforced for LDAPS or
+   TLS connections.
 -  **Users search base**: Base of search in the LDAP directory.
 -  **Account**: DN used to connect to LDAP server. By default, anonymous
   bind is used.
@ -95,6 +98,12 @@ Connection
   (see
   `Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
   documentation).
+-  **CA file path**: This allows you to override the default system-wide
+   certificate authorities by giving a single file containing the CA used by the
+   LDAP server.
+-  **CA directory path**: This allows you to override the default system-wide
+   certificate authorities by giving the path of a directory containing your
+   trusted certificates.


 .. attention::
--- a/doc/sources/admin/ldapconfbackend.rst
+++ b/doc/sources/admin/ldapconfbackend.rst
@ -89,6 +89,14 @@ Parameters:
 -  **ldapAttributeId**: RDN attribute of configuration entry (optional)
 -  **ldapAttributeContent**: attribute used to store configuration
   values, must be multivalued (optional)
+-  **ldapVerify**: When using a LDAPS or TLS server, whether or not to validate the server certificate. Possible values: ``require``, ``optional`` or ``none``.
+-  **ldapCAFile**:  This allows you to override the default system-wide
+   certificate authorities by giving a single file containing the CA used by the
+   LDAP server.
+-  **ldapCAPath**: This allows you to override the default system-wide
+   certificate authorities by giving the path of a directory containing your
+   trusted certificates.
+

 .. |image0| image:: /documentation/configuration-ldap.png
   :class: align-center
--- a/doc/sources/admin/ldapsessionbackend.rst
+++ b/doc/sources/admin/ldapsessionbackend.rst
@ -54,6 +54,9 @@ Name                     Comment                           Default value
 **ldapObjectClass**      Objectclass of the entry          applicationProcess
 **ldapAttributeId**      Attribute storing session ID      cn
 **ldapAttributeContent** Attribute storing session content description
+**ldapVerify**           Perform certificate validation    require (use none to disable)
+**ldapCAFile**           Path of CA file bundle            (system CA bundle)
+**ldapCAPath**           Perform CA directory              (system CA bundle)
 ======================== ================================= ===============================

 Security
--- a/doc/sources/admin/upgrade_2_0_x.rst
+++ b/doc/sources/admin/upgrade_2_0_x.rst
@ -39,6 +39,28 @@ backups and a rollback plan ready!
 -  Incremental lock times values can now be set by using Manager.
   It must a list of comma separated values. Default values are ``5, 15, 60, 300, 600``

+LDAP certificate validation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see `CVE-2020-16093 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250>`__. Starting from this release, certificate validation is now enabled by default, including on existing installations.
+
+If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command ::
+
+   /your/path/to/lemonldap-ng-cli set ldapVerify none
+
+If you use LDAP as a configuration storage, and wand to temporarily disable certificate validation, you must make the following addition to `/etc/lemonldap-ng/lemonldap-ng.ini` ::
+
+   [configuration]
+   ...
+   ldapVerify = none
+
+If you use LDAP as a session backend, and wand to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
+
+* key: ``ldapVerify``
+* value: ``none``
+
+Please note that it is HIGHLY recommended to set certificate validation to `require` when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
+
 2.0.8
 -----